EX436

High Availability Clustering (EX436)

According to Red Hat Certification Team, this exam is based on Red Hat Enterprise Linux 7.1.

I passed EX436 High Availability Clustering.

Study Points for the EX436 Exam

Candidates should be able to perform the tasks listed below:

  1. Configure a high-availability cluster, using either physical or virtual systems, that:
    1. Utilises shared storage
    2. Provides service fail-over between the cluster nodes
    3. Provides preferred node for a given service
    4. Selectively fails over services based on specific constraints
    5. Preemptively removes non-functioning cluster members to prevent corruption of shared storage
  2. Manage logical volumes in a clustered environment:
    1. Create volume groups that are available to all members of a highly available cluster
    2. Create logical volumes that can be simultaneously mounted by all members of a high-availability cluster
  3. Configure a GFS file system to meet specified size, layout, and performance objectives
  4. Configure iSCSI initiators
  5. Use multipathed devices
  6. Configure cluster logging
  7. Configure cluster monitoring

As with all Red Hat performance-based exams, configurations must persist after reboot without intervention.

Other Exam Related Topics

Libvirt Fencing on KVM

Red Hat Docs and Study Material

Red Hat Certificate of Expertise in High Availability Clustering (EX436)

High Availability Add-On Overview on RHEL 7 (PDF)
High Availability Add-On Administration on RHEL 7 (PDF)
High Availability Add-On Reference on RHEL 7 (PDF)
DM Multipath (PDF)
Global File System 2 (PDF)

Other Study Material

Sander van Vugt’s “Linux High Availability Clustering Complete Video Course” covers all EX436 objectives.

Red Hat Enterprise Linux Developer Suite

You may find the RHEL Developer Suite subscription helpful for developing high availability clustering skills.

The Red Hat Enterprise Linux Developer Suite subscription is available at no cost by registering with the Red Hat Developers Program.

The Red Hat Enterprise Linux Developer Suite Subscription is a self-support option for application development. It includes Red Hat Enterprise Linux, High Availability Add-On, Load Balancer Add-On, Resilient Storage Add-On, Scalable File Systems Add-On, High Performance Network Add-On, Extended Update Support Add-on, Smart Management, and Real Time operating system. This subscription is for development purposes only.

The subscription also provides access to the valuable Red Hat knowledgebase, forums and updates.

15 thoughts on “EX436

  1. Hello,

    I’m trying to set up a lab with 1 target server and 2 initiators clients, each client having 2 network interfaces on different networks then I can test multipathing.
    My problem is that when I disconnect the dedicated interfaces, it starts using the default interface, which is configured with a default gateway. How to configure these dedicated interfaces then when they are switched off, it will not use the default gateway ? I’ve seen plenty of tutorials with routing options that don’t seem to work for my need.

    thanks

    • You need 3 interfaces, where two are non-routable vlans for iSCSI traffic. When you do an iSCSI discovery, use both of the iSCSI vlans. You can also set path_grouping_policy to failover. When both iSCSI paths are down, the storage should no longer be accessible.

      [root@node1 ~]# multipath -ll
      mpatha (36001405688c3235427e49e48d0f04745) dm-2 LIO-ORG ,block1          
      size=1.0G features='0' hwhandler='0' wp=rw
      |-+- policy='service-time 0' prio=0 status=active
      | `- 2:0:0:0 sda 8:0  active faulty offline
      `-+- policy='service-time 0' prio=0 status=enabled
        `- 3:0:0:0 sdb 8:16 active faulty offline

      Journal entries:

      multipathd[14175]: mpatha: sda - path offline
      multipathd[14175]: mpatha: sdb - path offline
    • Thanks, but still having difficulties with that topic. If I login manually it’s ok, but after reboot the disks are missing. Maybe my /etc/iscsi/initiatorname.iscsi file is wrong.

      What should the /etc/iscsi/initiatorname.iscsi file contain ? The target name, or one acl name, or both of them ? It’s unclear in the documentation. Maybe because you are using a NetApp, and on my lab I just can simulate that by creating two ACLs.

      Here is my target conf :

      o- / …………………………………………………………………………………………………………. […]
      o- backstores ……………………………………………………………………………………………….. […]
      | o- block …………………………………………………………………………………….. [Storage Objects: 1]
      | | o- block01 ………………………………………………… [/dev/mapper/vgdata-lvdata (1.0GiB) write-thru activated]
      | | o- alua ……………………………………………………………………………………… [ALUA Groups: 1]
      | | o- default_tg_pt_gp …………………………………………………………….. [ALUA state: Active/optimized]
      | o- fileio ……………………………………………………………………………………. [Storage Objects: 0]
      | o- pscsi …………………………………………………………………………………….. [Storage Objects: 0]
      | o- ramdisk …………………………………………………………………………………… [Storage Objects: 0]
      o- iscsi ……………………………………………………………………………………………… [Targets: 1]
      | o- iqn.2018-12.local.rhce:storage ………………………………………………………………………… [TPGs: 1]
      | o- tpg1 ………………………………………………………………………………….. [no-gen-acls, no-auth]
      | o- acls ……………………………………………………………………………………………. [ACLs: 4]
      | | o- iqn.2018-12.com.example.cluster00.storage1:node1 …………………………………………….. [Mapped LUNs: 1]
      | | | o- mapped_lun0 ……………………………………………………………………. [lun0 block/block01 (rw)]
      | | o- iqn.2018-12.com.example.cluster00.storage1:node3 …………………………………………….. [Mapped LUNs: 1]
      | | | o- mapped_lun0 ……………………………………………………………………. [lun0 block/block01 (rw)]
      | | o- iqn.2018-12.com.example.cluster00.storage2:node1 …………………………………………….. [Mapped LUNs: 1]
      | | | o- mapped_lun0 ……………………………………………………………………. [lun0 block/block01 (rw)]
      | | o- iqn.2018-12.com.example.cluster00.storage2:node3 …………………………………………….. [Mapped LUNs: 1]
      | | o- mapped_lun0 ……………………………………………………………………. [lun0 block/block01 (rw)]
      | o- luns ……………………………………………………………………………………………. [LUNs: 1]
      | | o- lun0 …………………………………………… [block/block01 (/dev/mapper/vgdata-lvdata) (default_tg_pt_gp)]
      | o- portals ………………………………………………………………………………………. [Portals: 1]
      | o- 0.0.0.0:3260 ……………………………………………………………………………………….. [OK]
      o- loopback …………………………………………………………………………………………… [Targets: 0]

      Thanks again

    • My homelab is configured with target, I don’t use NetApp at home.

      When you configure your target, you have to create an ACL for each initiator that will be connecting:

      o- / ........................................................................ [...]
        o- backstores ............................................................. [...]
        | o- block ................................................. [Storage Objects: 2]
        | | o- block1 .......................... [/dev/vdb (1.0GiB) write-thru activated]
        | | o- block2 .......................... [/dev/vdc (2.0GiB) write-thru activated]
        | o- fileio ................................................ [Storage Objects: 0]
        | o- pscsi ................................................. [Storage Objects: 0]
        | o- ramdisk ............................................... [Storage Objects: 0]
        o- iscsi ........................................................... [Targets: 1]
        | o- iqn.2003-01.local.hl.nfs:target .................................. [TPGs: 1]
        |   o- tpg1 .............................................. [no-gen-acls, no-auth]
        |     o- acls ......................................................... [ACLs: 4]
        |     | o- iqn.1994-05.com.redhat:node1 ........................ [Mapped LUNs: 2]
        |     | | o- mapped_lun0 ............................... [lun0 block/block1 (rw)]
        |     | | o- mapped_lun1 ............................... [lun1 block/block2 (rw)]
        |     | o- iqn.1994-05.com.redhat:node2 ........................ [Mapped LUNs: 2]
        |     | | o- mapped_lun0 ............................... [lun0 block/block1 (rw)]
        |     | | o- mapped_lun1 ............................... [lun1 block/block2 (rw)]
        |     | o- iqn.1994-05.com.redhat:node3 ........................ [Mapped LUNs: 2]
        |     | | o- mapped_lun0 ............................... [lun0 block/block1 (rw)]
        |     | | o- mapped_lun1 ............................... [lun1 block/block2 (rw)]
        |     | o- iqn.1994-05.com.redhat:node4 ........................ [Mapped LUNs: 2]
        |     |   o- mapped_lun0 ............................... [lun0 block/block1 (rw)]
        |     |   o- mapped_lun1 ............................... [lun1 block/block2 (rw)]
        |     o- luns ......................................................... [LUNs: 2]
        |     | o- lun0 ....................................... [block/block1 (/dev/vdb)]
        |     | o- lun1 ....................................... [block/block2 (/dev/vdc)]
        |     o- portals ................................................... [Portals: 2]
        |       o- 10.12.0.40:3260 ................................................. [OK]
        |       o- 10.13.0.40:3260 ................................................. [OK]
        o- loopback ........................................................ [Targets: 0]

      Then you need to modify the /etc/iscsi/initiatorname.iscsi file on all nodes accordingly (they need to match the given ACLs):

      [root@node1 ~]# cat /etc/iscsi/initiatorname.iscsi 
      InitiatorName=iqn.1994-05.com.redhat:node1
      [root@node2 ~]# cat /etc/iscsi/initiatorname.iscsi 
      InitiatorName=iqn.1994-05.com.redhat:node2
      [root@node3 ~]# cat /etc/iscsi/initiatorname.iscsi 
      InitiatorName=iqn.1994-05.com.redhat:node3
      [root@node4 ~]# cat /etc/iscsi/initiatorname.iscsi 
      InitiatorName=iqn.1994-05.com.redhat:node4
    • Thanks Tomas.
      Comparing my target with yours shows I had only one portal listening on 0.0.0.0 (created by default), while you have two listening respectively on their dedicated network. Removing the default portal and creating the two required solves the issue.

  2. Hi Guys,

    I am appearing in EX436 exam next week. I have experience with RHEL cluster administration and also completed the Red Hat recommended training. I am looking for some sample exam questions to have an idea.

    Anyone please help me.

    • Hey techguru81,

      Could provide any help in case you got any sample exam questions?

      Thanks

  3. Hello Thomas,

    thanks for your courses. These are really helpful. I have few comments and questions:
    – you are taking a lot of care to up SELinux on all your demos but I can’t see it listed on exam requirements, neither Sander says anything about it on his complete video course, assuming we can just disable it during exam ?
    – similar question around firewalld, in many cases its configuration is straight forward but for fencing it gets complicated, do you think I will loose some point during exam if I just switch it off ?
    – invite link to slack channel is not working anymore and I was not able to join it any different way.

    Regards,
    Mateusz

    • Hi Mateusz, thanks for your feedback, appreciated! To answer your questions, my guides might be somewhat biased when it comes to security, and they will at times contain more information that is necessary to pass an exam. Systems security and Linux hardening are part of my job, therefore I use SELinux/firewalld all the time. As a result, when I write blog posts, I try to explain how to configure them to work with whatever software the exam is for (clustering in this particular case).

      OpenSCAP guide for RHEL 8 recommends that SELinux be enabled using the default policy. If SELinux is enabled during the exam, you should not disable it unless the exam asks you to do so. The same applies to firewalld, if it’s enabled during the exam, you should not disable it, as doing so would go against security’s best practices, and you may lose points. I say “may” because I don’t know if that would actually be the case.

      Slack is notorious for making invitation links inactive, there is little I can do about but generate a new one.

Leave a Reply

Your email address will not be published. Required fields are marked *